Before certifications, the only measurement of someone knowing what they said they know was through an educational degree or an impressive resume. The military was always used to training its members when they entered into the service. They provided some On the Job Training (OJT) while in the service, but nothing very formal like a certification class. The military believes in an approach where the higher in rank, the less actual wrench turning is accomplished. This unfortunately means missed opportunities and missing out on learning of new technologies. The DoD 8570 program brought this idea back to keep security of Information Systems in the forefront of everyone’s mind at least every couple of years.

The DoD 8570 was published in 2005 to address the concern of having unqualified personnel performing very critical cyber functions. This directive required all personnel that had access to any information system and performed any security function. This included system administrators, computer repair technicians, help desk technicians, information security managers, and directors of information security shops. This guideline allowed for a big change in the government. By establishing this guideline, units were able to request funds to train current personal to the level needed to complete their jobs. It also allowed for the type of training to change before new military members were assigned to Information Assurance (IA) jobs. This movement helped make it a requirement that military members be qualified before deploying to a combat environment. Using this standard, the Department of Defense was able to raise the standards of their professional and the industry. The 8570 was broken down into categories, certifications, and helped define the standards that have been needed for a long time. Let’s examine how the 8570 program broke down Information Security into different categories.

Ethical Hacking Training – Resources (InfoSec)

Categories of 8570

To correctly evaluate an IA task force, all computer-related jobs had to be separated into categories. The five (5) main categories are Information Assurance Technician (IAT), Information Assurance Manager (IAM), Computer Network Defense (CND), Information Assurance System Architecture & Engineering (IASAE), and Computing Environment (CE). Each of these main categories have sub categories or levels defined in them. Each category also has distinctive theme to them that relate to the overall idea of how that category’s progress would happen through their career.

IAT, IAM, and IASAE is broken into three (3) levels that are based on job level and skills. All Level 1 jobs are centered around computer/system assets. Level 2 involves network level equipment and the architecture to support it. Level 3 includes all the previous levels and includes enclave or enterprise server environments. Levels help define responsibilities, job related tasks, and ensure that a clear path of progress was established. This allowed for job announcements, contracts, and training requirements to be better defined than before. Figure 1, 2, and 3 show IAT, IAM, IASAE levels respectively.

Figure 1: IAT Levels

Figure 2: IAM Levels

Figure 3: IASAE Levels

The CND and CE categories were broken into more detailed jobs/skills. The CND category has five (5) jobs: Analyst, Infrastructure Support, Incident Responder, Auditor, and Service Provider Manager. The CE contains two (2) jobs: Windows and Linux. These are more specialized jobs that require different skills than the other general categories. Figures 4, 5, 6 show the CND and CE categories.

Figure 4: CND Category Part 1

Figure 5: CND Categories Part 2

Figure 6: CE Categories

Certifications that qualify the category

Certifications were assigned to the levels of job requirements. The certifications match up mostly to the right categories. Some certs are also qualified in multiple categories. Certifications ensure that someone is qualified to an industry standard. Most of the certifications also require continuing education credits and a recertification fee. This helped ensure that knowledge was not lost after a period of time.

The 8570 program accepted the certifications from CompTIA, SANS, ISC2, ISACA, and EC-Council. As mentioned previously some certifications would span multiple levels in a category. For example, GIAC Security Leadership (GSLC) would qualify at any level of IAM. So someone in that position could just keep that certification current and they would still meet the job requirement. This also applies the the Certified Ethical Hacker (CEH) for most of the CND jobs in that category. The list of certifications have been updated from the original list in 2005. CompTIA Advanced Security Practitioner was added to the approved certifications. Figure 7, 8, and 9 shows the certifications each level requires.

Figure 7: IAT Certifications

Figure 8: IAM Certifications

Figure 9: CND Certifications

How does 8750 have a positive effect on the information security industry?

By the government requiring certifications, industry awareness was raised to require certifications to be in a certain jobs. This movement also required contractors who worked with the government to be held to the same standards as everyone in the military. Commercial companies raised their standards to match what the government had put in motion on their own. This also created jobs by creating certifications shops. This movement also allowed an individual to separate themselves from others by the certifications they accomplish.

The future is 8140 and why the move to it

Although 8570 was a great framework, it was used incorrectly to write up job requirements that were classified under incorrect categories. Jobs like software programmers for example did not fall into any one of the defined categories. This would lead to a job being over or under classified and not having the correct tasks assigned to it. A variety of career fields also needed more detailed initial training and follow on training to complete tasks assigned to them. The technology that accessed DoD networks has changed drastically from 2005 to now include smart phones, web servers, cloud, and wireless.

Background on DoD 8140

This standard was originally planned to be implemented by the beginning of January 2013. The move to 8140 is a big change. More categories were added and some redefined. Also the amount of tasks were more than doubled. This big of a movement requires that all the contracts (current and future), job requirements, training, and evaluations include the new requirements.

The DoD 8140 model is based on National Institute of Standard and Technology (NIST) National Initiative for Cybersecurity Education (NICE) standard. This model defines categories and even job titles very clearly. This standard also defines tasks that would be associated within a category. Civilian job titles are described in this standard to better facilitate writing job requirements. The common types of work that fall under the main categories are known as “Special Areas”. The 8140 standard also breaks up into categories to structure work tasks together.

Categories of 8140

As with the 8570, the 8140 had to be broken into main categories and further broken down into tasks or special areas. This breakdown helps better define jobs, skills, training, and focus areas. There are seven (7) main categories that have tasks or special areas of their own. The main categories are Security Provision, Operate and Maintain, Protect and Defend, Analyze, Operate and Collect, Oversight and Development, and Investigate. The new framework allowed for many different classes, certifications, and formalized training to now qualify an individual as “certified” in that task. Having different avenues of training allows individuals to obtain inexpensive training and still be qualified in a task. This list is not set in stone and changes often as new classes can be submitted. Figure 10 shows the categories in 8140.

Figure 10: Categories of 8140

Security Provision

This category has seven (7) different special areas assigned under it. The jobs assigned to this category are centered around architecture and engineering. The special areas that fall under this category are Information Assurance Compliance, Software Assurance and Security Engineering, Systems Development, Systems Requirements Planning, Systems Security Architecture, Technology Research and Development, and Test and Evaluation. Certificates/Classes in this category consists of Project Management (PMP), A+ Certification, Sharepoint Management, and Server Administration. Figure 11 shows the special areas in this category.

Figure 11: Special Areas of the Security Provision Category

Operate and Maintain

Seven (7) different special areas are assigned under this category also. The jobs assigned in this category are centered around the daily operation and maintenance of computer, network, and enclave systems. The special areas in this category are Customer Service and Technical Support, Data Administration, Knowledge Management, Network Services, System Administration, and Systems Security Analysis. Some of the certificates/classes in this category include A+, Advanced Data Warehousing, Basic Network Traffic Analysis, and Cisco Certified Network Associate (CCNA). Figure 12 shows the special areas in this category.

Figure 12: Special Areas of the Operate & Maintain Category

Protect and Defend

The category has five (5) different special areas assigned under it. These jobs center around securing and defending against cyber-related attacks. Computer Network Defense Analysis, Computer Network Defense Infrastructure Support, Incident Response, and Vulnerability Assessment and Management are the special areas in this category. Some of the certificates/classes in this category include A+, Systems Security Certified Practitioner (SSCP), Advanced PCAP Analysis and Signature Dev, and Android Security and Exploitation. Figure 13 shows the special areas in this category.

Figure 13: Special Areas of the Protect & Defend Category\

Analyze

This category has four (4) different special areas assigned under it. These jobs analyze networks, systems, and exploitations to provide signatures and mitigation strategies. The special areas in this category are All Source Intelligence, Exploitation Analysis, Targets, and Threat Analysis. Some of the certifications/classes in this category include Certified Ethical Hacker (CEH), Certificate in Oracle Database Administration, Counterintelligence for IT Professionals, and Cryptography and Public Key Infrastructure. Figure 14 shows the special areas in this category.

Figure 14: Special Areas of the Analyze Category

Operate and Collect

This category has three (3) different special areas assigned under it. These jobs are centered around cyber operations and planning. Collection Operations, Cyber Operations, and Cyber Operations Planning are the special areas in this category. Some of the certifications/classes in this category include Arm Assembler Programming Language, Business Execution: Crafting a Business Strategy the Executes, Security+, and Digital Photography for Law Enforcement. Figure 15 shows the special areas in this category.

Figure 15: Special Areas of the Operate & Collect Category

Oversight and Development

This category has three (3) different special areas assigned under it. These jobs look at the legal aspect, the planning, and education/training that needs to take place. The special areas in this category are Education and Training, Legal Advice and Advocacy, Strategic Planning and Policy Development. Some of the certifications/classes in this category include Business Law Basic Concepts, Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Cloud Computing Executive Overview. Figure 16 shows the special areas in this category.

Figure 16: Special Areas of the Oversight & Development Category

Investigate

This category has two (2) special areas assigned under it. These jobs look deeply at investigation and forensics of computer assets. Digital Forensics and Investigation are the special areas under this category. Some of the certifications/classes in this category include Basic Imaging and Extraction Course, Basic Network Traffic Analysis, CompTIA Linux+ Certification Prep, CompTIA Network+, and Computer Incident Responders Course. Figure 17 shows the special areas in this category.

Tobias McCurry is a Senior Penetration Tester. He served in the Air Force for 10 years. He is a seasoned professional with systems and network administrator with extensive leading-edge IT knowledge and experience in delivering exceptional customer satisfaction and improving overall operations. He holds a Bachelor of Computer Science with a specialization in Information Systems Security from American Public University and holds numerous certifications, including GCIA, GXPN, GCFE, GWAPT, GCIH, GSNA, Security+, Project+, A+, and CIW Web Design Specialist.

Very well structured and a great intro read to the changes of 8140, I appreciate the references too. Thank You.

cyber

would that include security administrators as well, some security systems are not located within the domain itself due in case the system is compromised and does not affect the entire domain, that is why most security analyst have to maintain, configure, patch, backup and secure etc their own systems themselves due to STIG accessibility requirements by the win admins

JJ

Ever wondered how we arrived at this junction… 1st computer – no
certs, 60yr+ PPS – no certs – cell phones – no certs – wonder how many
application are created by non-certified programmers – space rocket
used computers … ergo maybe that why we have not been back to the moon
because the a lack of certified personnel… Think of all those
inventions envisioned and created by non-certified people…Curious if a
hacker reads this if they would share when they became an non-certified
unethical hacker (NCUEH)…. Too much reliance on certifications…
Spending far too much $$$$. A professional is one whom seek knowledge
and maintains knowledge without the need for some company or government
mandating requirements. We do not understand the enemy but the enemy
understands us all too well… something to consider …. Wait on sec … We all need Common Sense Certification… was it the computer nerds who began saying “think outside the box”

Sun Tuz

Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win.
The supreme art of war is to subdue the enemy without fighting.
Opportunities multiply as they are seized.

If you know the enemy and know yourself, you need not fear the result of
a hundred battles. If you know yourself but not the enemy, for every
victory gained you will also suffer a defeat. If you know neither the
enemy nor yourself, you will succumb in every battle.

JJ

“The military believes in an approach where the higher in rank, the less
actual wrench turning is accomplished. This unfortunately means missed
opportunities and missing out on learning of new technologies.”

That’s half true. The truth is the higher rank = greater knowledge which is then pass down to lower ranks via mentor-ship, apprenticeship demonstrations, endless drills, instructions and leadership. Another lesson learn from the military is a significant difference between being book smart and smart. Military training the incentive is think then react not react then think. Another lesson is ability to regurgitate information short term is as foolish as trying to know it all. What is taught is an understanding of how systems and their sub-parts work. Importantly know thy references.

Do not be mislead by what an 18 year can do or accomplish in short time…. they can lean to operate multi-million dollar systems and use computers system prior to the PC, the internet, and certifications…. Then we did experts that did not require googling the information 1st or being a jack… when ask a question and giving a response shall I google it for ya…

Individual commitment to a group effort – that is what makes a team work, a company work,
a society work, a civilization work.

Vince Lombardi

About InfoSec

InfoSec Institute is the best source for high quality information security training. We have been training Information Security and IT Professionals since 1998 with a diverse lineup of relevant training courses. In the past 16 years, over 50,000 individuals have trusted InfoSec Institute for their professional development needs!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

How will you fund your training?

Why Take This Training?

What is your timeline for training?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam